Just pull the plug at the back, or if a laptop either long press the power button, or remove the battery. If the target system is powered on, do not shut it down orderly.
Just follow the instructions with the existing ISO image ( ). You will need to have the pen drive with a single FAT partition (which is the default). The time taken will depend on the USB drive, but normally well under 5 minutes to image.Ģ) Linux and MacOSX: use UnetBootin ( ). Just select the non-recommended option of writing the image in DD image mode. You will get a warning stating that the image you have selected is a “ISOHybrid” image.
Just insert the USB drive, ensure it is listed on the device drop down menu, click on the create bootable disk using ISO image, select MBR parition scheme for BIOS or UEFI (for a PC target) of GPT (for a Mac target) and select the deft zero iso image in question from the little CD drive icon. Rufus is our preferred tool, as it is normally twice as fast as other tools.
To install the iso image as a bootable USB drive follow these tutorials:ġ) Windows: Use Rufus ( ) or the Microsoft CD/DVD imaging tool ( ). That USB drive does not need to be fast as it is only read to boot up the system. DEFT Zero iso image available on this websiteĭownload the current DEFT Zero iso image from this website.The image is 530MB in size,so you will need a USB pen drive of 1GB or more.External hard drive of capacity at least equal and preferably higher to the internal hard drives of the device.
The easiest way to do a forensic capture of a machine (server, laptop, desktop) is by booting it with a USB with specialized software and capturing all the data (internal storage) to a external hard drive. Given the circumstances, appropriate use of software-only capture can be as effective if the relevant precautions are taken. Write-blockers also rely on extracting the relevant hard drives from machines, which is hard to do on some target systems (Macbooks and other systems not designed to be taken apart easily). We have found no distributors of CRU or Tableau equipment in country and we regularly source our forensic kit from Europe or the US. However, write-blockers are hard to come by in Vietnam. With the average image being 120GB, a normal exercise would take 2 hours, with days being the norm for terabyte size drives. Software Imaging a low powered laptop using USB normally peaks at 10-20MB/s, which will barely result on a 1GB per minute. Write blocking equipment will be a lot faster imaging drives using SATA/SAS connectivity on a dedicated forensic workstation, than using existing CPU limits and connectivity ports on the target device. Write-blocking equipment can also skip bad blocks on damaged hard drives, errors that would otherwise cause a forensic PC to freeze or stop capturing altogether. Overwriting a laptop hard drive when attempting to image it overnight can be serious problem. The use of write-blocking equipment is also useful to the team capturing data, as it stops them from accidentally writing to the drives in case their capturing setup is misconfigured. This is essential for the forensic report to stand scrutiny in court or to be taken seriously as an analysis in international jurisdictions. Professional capture uses specialized equipment to capture media (we use Forensic Ultradock from CRU for commercial engagements ) and also maintains detailed photographic and written documentation about the chain of custody of media. The argument between professional capture and software-only capture is a valid one. Once captured in a standard manner, the digital footprints are “frozen” and ready to be analyzed months or years later. A fresh dataset, captured hours or days after an event can be crucial in order to answer important questions at a later stage. One of the most useful things a local IT department can do when confronted with a security event is capture information.